How to install FREE Let’s Encrypt wildcard SSL?

When we talk about SSL, we talk about security. And security has a price: a giant price. SSLs used to be a costly affair unless the Let’s Encrypt community showed up and massively disrupted the CA Industry.

Wildcard SSLs are extremely costly, even today. Companies used to charge heavy fees on their purchases and renewals. But after the advent of Let’s Encrypt, you are not required to pay anything! Yes, anything! Because its FREE! And it provides SSL Certification at domain level verification.

Let’s Encrypt SSLs are free for both the domain as well as the subdomains. You can get a free certificate for all your subdomains along with the main domain at once. This is indeed the concept of Wildcard SSL.

Wildcard SSL protects all your subdomains and the main domain using one single certificate. Here, we would be guiding you to make you learn how to get a wildcard SSL and install it on your server for free from Let’s Encrypt.

So let’s get started:

Step 1

Download stonemax/acme2 and install the composer:

https://github.com/stonemax/acme2

Preferably, git clone using SSH with the following commands:

git clone https://github.com/stonemax/acme2
cd acme2
composer install

Step 2

There is an update in Let’s Encrypt Library so kindly make a small change in src/services/NonceService.php (Line Number 87)

From [Old Code]

if ($code != 204)
{
 throw new NonceException("Get new nonce failed, the url is: {$newNonceUrl}");
}

To [New Code]

if ($code != 200)
{
 throw new NonceException("Get new nonce failed, the url is: {$newNonceUrl}");
}

Please note: Kindly ignore this step if the stonemax library already has the above new code.

Step 3

Rewrite the example.php file in home/<your_path>/stonemax/acme2/examples

<?php
/**
 * example php file
 * Updated by Akshay Srivastava, CEO, Webdoors.IN.
 * @author Zhang Jinlong <466028373@qq.com>
 * @link https://github.com/stonemax/acme2
 * @copyright Copyright © 2018 Zhang Jinlong
 * @license https://opensource.org/licenses/mit-license.php MIT License
 */

include('../vendor/autoload.php');

use stonemax\acme2\Client;
use stonemax\acme2\constants\CommonConstant;
$domainInfo = [
    CommonConstant::CHALLENGE_TYPE_HTTP => [
        'yourdomain.com'
    ],

    CommonConstant::CHALLENGE_TYPE_DNS => [
        '*.yourdomain.com',
        '*.www.yourdomain.com'
    ],
];

$client = new Client(['email@yourdomain.com'], '../data/', FALSE);

$algorithm = CommonConstant::KEY_PAIR_TYPE_RSA;                 // Generate RSA certificates, `CommonConstant::KEY_PAIR_TYPE_EC` for ECDSA certificates
$renew = FALSE;                                                 // Renew certificates


$order = $client->getOrder($domainInfo, $algorithm, $renew);    // Get an order service instance

//$order->getPendingChallengeList();                              // Get all authorization challenges for domains

$challengeList = $order->getPendingChallengeList();
foreach ($challengeList as $challenge)
{
    print_r($challenge->getType());          // Challenge type, http-01 or dns-01
    print_r($challenge->getCredential());    // Challenge detail, http-01 with file name and file content, dns-01 with dns record value
    $challenge->verify();           // Do verifying operation, this method will loop infinitely until verification passed
}

$CS_info = $order->getCertificateFile();
print_r($CS_info);

?>

Please note: yourdomain.com will be replaced with the domain you want an SSL Certificate for.

Step 4

Login to your SSH and execute example.php by the following command:

php example.php

Step 5

There will be two types of verification by Let’s Encrypt:

1) File verification:

You will receive the output like:

'http-01'
[
'identifier' => 'yourdomain.com',
'fileName' => 'RzMY-HDa1P0DwZalmRyB7wLBNI8fb11LkxdXzNrhA1Y',
'fileContent' => 'RzMY-HDa1P0DwZalmRyB7wLBNI8fb11LkxdXzNrhA1Y.CNWZAGtAHIUpstBEckq9W_-0ZKxO-IbxF9Y8J_svbqo',
];

With the above verification info, Let’s Encrypt will access “http://yourdomain.com/.well-known/acme-challenge/HDa1P0DwZalmRyB7wLBNI8fb11LkxdXzNrhA1Y”, and the file content will be expected as “RzMY-HDa1P0DwZalmRyB7wLBNI8fb11LkxdXzNrhA1Y.CNWZAGtAHIUpstBEckq9W_-0ZKxO-IbxF9Y8J_svbqo”.

Therefore you are required to create a file with
name HDa1P0DwZalmRyB7wLBNI8fb11LkxdXzNrhA1Y in
http://www.yourdomain.com/.well-known/acme-challenge/
and save it with fileContent value
RzMY-HDa1P0DwZalmRyB7wLBNI8fb11LkxdXzNrhA1Y.CNWZAGtAHIUpstBEckq9W_-0ZKxO-IbxF9Y8J_svbqo

Please note: fileName and fileContent values will be different in your case.

And you are done with the http verification of yourdomain.com.

2) DNS Verification

You will receive the output like:

'dns-01'

[
'identifier' => 'yourdomain.com',
'dnsContent' => 'xQwerUEsL8UVc6tIahwIVY4e8N5MAf1xhyY20AELurk',
];

'dns-01'
[
'identifier' => 'www.yourdomain.com',
'dnsContent' => 'yWjxrAZsL8UVc6tIahwIVY4e8N5MAf1xhyY20AEDawn',
];

In this case you need to goto your Advanced DNS Settings. You need to add two TXT records like this:

Domain NameDNS record nameTypeTTLDNS record values

*.yourdomain.com

_acme-challenge.yourdomain.com
TXT60
xQwerUEsL8UVc6tIahwIVY4e8N5MAf1xhyY20AELurk
*.www.yourdomain.com
_acme-challenge.www.yourdomain.com
TXT60
yWjxrAZsL8UVc6tIahwIVY4e8N5MAf1xhyY20AEDawn

Please note: dnsContent or DNS Value will be different in your case. Above is just an example.
Also, these verifications will happen sequentially (one after the other). You will be needed to verify the first one first to get the verification value for the next one. It will only proceed to the second verification when the first verification will be successful. Here are three verifications in total:

  1. yourdomain.com (File Verification)
  2. *.yourdomain.com (DNS Verification)
  3. *.www.yourdomain.com (DNS Verification)

Any of the verificaion may pop-up first irrespective of their order in program.

Step 6

Once successfully done, you will receive your SSL Certificate in:
/home/<your_path>/stonemax/acme2/data/<your_account_id>/rsa

Copy the content of certificate-fullchained.crt and paste it in your SSL installer’s certificate text area.

Then, copy the content of private.pem and paste it in your SSL installer’s key text area.

Press Install! You’re done!

Please note: You may ask your hosting provider for help in case you don’t find the SSL installer in your hosting account’s dashboard or you are unable to install the SSL even after the successful SSL order.